How to bank safely online at home

Target breach showcases need for vigilance

Dec. 31, 2013

Most financial institutions, however, have yet to tune in to the trend of 'two-step verification.' Among those who do is CitiBank. Pictured is a Citibank in Philadelphia. / Matt Rourke / File / Associated Press

Written by

Rob Pegoraro

Special for USA Today

:

TIP: ENABLE YOUR BANK’S TWO-STEP VERIFICATION

Many major sites, from Facebook to Google to Microsoft to Yahoo, now allow “two-step verification” to protect users’ logins from the loss of a password. That option requires users to vouch for all logins, or only those from strange computers or locations, by typing in a one-time password sent to their phone via text message or to a specialized app like Google Authenticator.

Most financial institutions, however, have yet to tune in to this trend. There’s Bank of America’s SafePass, CitiBank’s identification codes Ally Bank’s Security Code, and not much else. But if your bank offers this option — which may require looking around its site — you should enable it right away. And if it doesn’t, you might want to ask why.

More

ADVERTISEMENT

Question:What’s the safest way to do my online banking: over a wired connection, powerline networking or Wi-Fi?

Answer: The answer doesn’t matter as much as you might think, but asking the question does mean you’re approaching your online security in the right state of mind.

If you’re not sufficiently depressed about the state of financial security online, Target’s massive credit-card breach — apparently executed by exploiting the retailer’s in-store systems — offers a reminder that many account compromises happen in places we can’t control.

And the best way to watch for them is to monitor your account for unusual transactions — which means you should do more online banking, not less.

How are you wired?

Overall, a wired Ethernet link is more secure than either Wi-Fi or powerline networking, in which the electrical wires in your home carry Internet data. To compromise an Ethernet network, an attacker needs to get into your house and plug in a laptop, while Wi-Fi signals go beyond your home and powerline networks can leak information to adjacent dwellings.

Both Wi-Fi and powerline setups come with encryption options to scramble data flowing over the network; once you switch them on, an attacker would need to know the password to break in. But Wi-Fi’s obsolete WEP encryption can easily be defeated — and is still presented as a valid option in routers’ setup routines.

Furthermore, if you leave a router on its default administrative password, somebody who connects to your network can also monkey with the router’s settings to redirect your traffic to rogue sites. For much the same reason, you shouldn’t automatically trust third-party wireless hot spots.

What's your bank security?

Financial sites use encryption of their own to scramble data flowing to and from your computer — as reported by your browser with a lock icon in its toolbar that, when clicked, should display an info sheet including the bank’s name — and that should almost always outweigh the security of your local network.

(A determined attacker could defeat a bank’s login security by persuading a user to connect to a router running malware that subverts this encryption, but this seems to have been a theoretical exercise to date.)

What gaps could exist?

Your local network, however, makes up only one part of the “attack surface” of online banking, and it may not be nearly as profitable as two others: your computer and your mind.

If an attacker can get a keylogger on your computer to record your keystrokes, the strength of your bank’s encryption and your password won’t matter at all — each tap of the keyboard will have already been recorded and transmitted.